Currently the security model requires both.
Miners propose blocks, masternodes lock it in. To 51% attack the network you need to either take down the masternodes or to host enough masternodes to control the network. The former is more likely. Once you bring down the masternodes or Sybil the masternodes, then you need sufficient hashrate again to attack the chain.
There are times where the network can become vulnerable even with masternodes for example during hard forks. If not enough masternodes upgrade or fall out of sync or there’s a network partition, the masternode quorums may not form properly and therefore blocks are not chainlocked. If blocks are not chainlocked, then traditional Nakamoto consensus prevails meaning it is only the miners then providing security. So masternodes provide the security the vast majority of the time by checkpointing blocks but miners still are the ones proposing blocks and inserting transactions into them.